Talos Vulnerability Report

TALOS-2017-0367

Iceni Infix PDF parsing SetSize Code Execution Vulnerability

July 11, 2017

CVE Number

CVE-2017-2863

Summary

An out-of-bounds write vulnerability exists in the PDF parsing functionality of Infix 7.1.5. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this vulnerability.

The function SetSize? sets up the dword value located at EDI+23Ch. When a malformed file is being parsed
this value is set to 0xFFFFFFFF which normally should indicate an error. However, due to further lack of error
checking conditions this value (0xFFFFFFFF) is later used as an argument to memset function (size parameter)
which causes the memory corruption to occur.